Through the Eyes of a Sleuth: The Nomad Bridge Hack
Ready for the next step on your crypto detective journey? Toven from Boring Security will take you through the Nomad bridge hack; focusing on some of the first responders and how they attacked the case.
The Calm Before the Storm
Of the top 5 largest Crypto-related hacks, 4 of them are related to funds drained from bridges; protocols that connect two blockchains, allowing users to transfer assets from one blockchain to another. On August 1, 2022, Nomad Bridge was hacked, with over $186M drained in just a few hours. Hundreds of copycats executed transactions based on an initial exploit discovered by black hat hackers. To put it simply, the Nomad Bridge smart contract was vulnerable due to a flawed validation process, allowing anyone to withdraw funds when they input a specific chunk of data.
The Genesis of the Hack: How it All Began
On a seemingly mundane Monday in August, Spreekaway noticed a very interesting transaction on the Nomad Bridge. Instantly, this tweet and many others spread like wildfire throughout Crypto Twitter, with the February Wormhole bridge hack for $320M and Ronin for $615M in March fresh in people’s minds. Posts like Vitalik’s notes on a multi-chain ecosystem had been discussed all year long, focusing on the security implications of such systems.
As Spreekaway tracked down the transactions, a pattern revealed itself: initial exploiters carefully selected their target, Wrapped BTC, and withdrew it in batches of 100 wBTC, valued at $2.3M at a time. Millions of dollars in nominal value were drained within the first 15 minutes of the exploit, and within an hour, the bridge was losing $10M every minute.
Spreekaway: The First Responder
Spreekaway graciously accepted Boring Security’s request for an interview and shared insights into his work. An independent researcher and consultant whose Twitter account is a gold mine for near-real-time updates on some of the most notorious on-chain events and regulatory implications, Spreek is an invaluable resource to the Crypto community.
During our interview, we asked how he managed to notice the Nomad transactions so quickly. He replied “I first noticed the Nomad hack from an alert of a large [transaction] fee paid by one of the people generalized frontrunning it. [Generalized frontrunning is an automated approach to monitoring blockchain transactions and attempting to send a transaction similar to ones already pending and having your transaction executed first.] [I] looked into the [transaction] saw the abnormal outflows to many different accounts/MEV bots and realized something was up”
Spreekaway then expanded on the various signs of a potential exploit, saying: ”Some examples of the sorts of things I look for are:
- Large TVL [Total Value Locked, a DeFi term for the amount of money locked in a specific protocol]
- Changes in contracts
- High gas fees/bribes paid
- Generalized frontrunning
- Accounts funded from suspicious sources (especially those that also deploy contracts)
- Large trades/price changes.
Automated tools help a lot with keeping track of this, but it is also helpful to have a network of people on Twitter and in chat groups that also have an eye out for interesting or unusual activity on-chain.” On that day, Spreek’s systems helped him keep up with the rapid-fire pace of the hack, allowing him to post updates on X (Fmr. Twitter) as the event unfolded.
The Blackhats: Finding the Source
As hackers worldwide joined in the rush to exploit Nomad, other sleuths worked on finding the root issue. Some looked at the smart contract, some studied the bridge infrastructure, and yet others theorized about Secret Recovery Phrases or private key compromises on the bridge deployer wallets. Throughout these intense few hours, Nomad stakeholders, users, and the community all watched helplessly, unable to explain or prevent the losses. As sleuths dug into the transactions at the start of the exploit, a few wallets were tagged as the original exploiters. It was later discovered that the attackers had planned their attack at least a day in advance; they tested the vulnerability with small amounts to ensure their approach would succeed. It was also noted that these exploiter wallets were funded via Tornado Cash, pointing to the exploiters being Blackhats with no intent to return funds. [Tornado Cash is a financial privacy tool intended to keep the source of funds private. TC was sanctioned by the US Government in 2022 and is currently not legal to use].
JP Introduces Tornado Cash and Mapping the Chain
Using tools sleuths can recognize patterns in the flow of TornadoCash transactions related to the attackers. JP, a Tornado Cash expert, discusses his current work: “I’m up against Tornado Cash, which is pretty daunting, however with a great network, determination, and a logical approach it is possible to overcome. For example, during the Beanstalk investigation, we understood the post-withdrawal behaviors of more than 3,000 wallets and eventually identified a pattern that came full circle and linked back with other curious transactions from the protocol.”
JP has a history of thorough research using a variety of tools to get to the bottom of incidents.
Here, JP discusses a common process these investigators have to go through, compiling massive lists of suspected wallets and analyzing each one for various usage patterns and more, to tie them back to an identity. Tornado Cash was used to fund the initial Beanstalk exploiter wallets, so an understanding of pre-exploit behaviors is also critical for investigating these hackers.
JP described his toolset as: “On a day-to-day basis, I find myself using MetaSleuth, Breadcrumbs, Debank, all of the blockchain explorers, Arkham Intelligence and a huge suite of OSInt [OSInt is the term used to describe Open Source Intelligence, meaning information publicly available on the internet] tools, including ‘X’ (formerly known as Twitter)”
By leveraging a variety of tools with different purposes, JP conducts investigations based on data from blockchain transactions while gaining a deeper understanding of the users conducting these exploits.
The Aftermath: Lessons and Losses
Going back to the Nomad exploit, Nomad later announced a white-hat recovery address, inviting ethical hackers to return funds drained for a reward. This program resulted in 17% of stolen funds returned just 6 days after posting. Then, they hired a risk and compliance firm and began working with law enforcement to track down blackhats and recover funds. They published their next steps in a blog post: upgrades and audits of their smart contract code. Nomad also hired Chainalysis for blockchain tracing and identification of the hackers. As of their blog post on November 11th, Nomad recovered $38M, or about 43% of stolen funds.
Commenting on the difficulty of developing secure on-chain contracts, Spreekaway said: “Developers should assume that even their carefully checked and audited code will likely have bugs or unintended behavior included. It is thus very important to design systems that are more robust to things going wrong. ”
The Result: A Sobering Reality
The Nomad Bridge hack was salt in the wound that reverberated across the crypto landscape, illustrating the intricate vulnerabilities that come with decentralized financial systems. While the exploit itself was simplistic in its mechanics—a flawed validation process in the smart contract—it unleashed a cascade of consequences that were anything but trivial. The insights of sleuths like Spreekaway provide valuable perspectives, but they also underscore the sobering reality that these vulnerabilities should never have existed in the first place. As blockchain technology forges ahead, this incident stands as a stark reminder of the delicate balance between innovation and security.
In the battle between whitehat sleuths, blackhat exploiters, and developers shaping the crypto landscape, Spreekaway’s observations hit home. “[In] the cat and mouse game between nefarious actors and the people trying to detect and stop them,” Spreek noted, “it seems that it is a battle the whitehats are destined to lose in the long run [..] as exploiters become more sophisticated.” He points to Ethereum Improvement Proposals (EIPs), like the so-called “circuit breaker EIP”, as potential game-changers in this arena. [EIP is the term for proposals (Ethereum Improvement Proposals) that set the standard for the Ethereum chain] Spreek also mentioned the rise of MEV [Maximum Extractable Value] as an evolving line of defense, stating that “many security researchers and MEV people are watching everything they do on-chain.”
JP echoed this sentiment but took it a step further. “I’m really looking forward to seeing MEM pool bots battling it out to prevent exploits.” [The MEM pool is a public list of pending transactions waiting to be confirmed on-chain. MEM pool bots attempt to execute these pending transactions before their intended signer, creating “front-run” transactions.] JP stated, emphasizing that some, like BlockSec, are already leading the charge. He lamented the human cost of these attacks, saying, “Too many scammers are getting away with their malicious actions, without consequence, whilst […] destroying people to the point where they’re considering ending their life! That sounds horrible but it is true. The things that victims go through are terrible and no one hears it! So I’m here to take a stand.”
The Importance of Blockchain Sleuths For The Wider Crypto Community
To close out, it’s important to recognize the role of these sleuths as unsung heroes in the crypto ecosystem. Their vigilance and analytical prowess often serve as a last line of defense against exploits that can devastate individual lives and shake the very foundations of DeFi. As we navigate this rapidly evolving landscape, their work underscores the critical need for constant vigilance and adaptability in securing a future where innovation and security can coexist.
Now you’re clued up about the types of attacks possible, you’re ready to learn some skills! Keep reading to learn about the types of tools and practical knowledge you need to fight crypto crime.